After the Mirai botnet was recently used to bring down large portions of cyberspace, there have been new calls for regulating Internet of Things (IoT) devices. Since the voluntary IoT security approach is clearly failing, what can we expect moving forward? Are better standards needed? Should government mandate more security for IoT devices for consumer protection? Let’s explore.
After plenty of talk and minimal action on securing new Internet of Things (IoT) devices for several years, many security and technology industry experts knew this was coming.
Indeed, a majority in the security community have been predicting this outcome — with 2016 security predictions from last year full of examples of IoT troubles ahead. The message to global manufacturers: “Get your IoT house in order, or else. ...”
Well — perhaps the “or else” has arrived regarding insecure smart devices. But before we delve into potential regulatory actions or other responses, here’s some background. But is there more to come? Almost certainly.
Background on Recent Distributed Denial of Service (DDoS) Attacks
This IoT Journal article provides some good background on the recent DDoS Attacks prior to Oct. 21 DDoS attack on Dyn’s Domain Name Service (DNS). Here’s an excerpt:
On Sept. 20, that is what happened — except that rather than targeting a household brand, the hackers took aim at an investigative reporter, Brian Krebs, who covers cybersecurity.
In an attempt to take down his website, KrebsonSecurity, hackers infected a massive network of computers with malware, creating a botnet that perpetrated the largest distribution denial-of-service (DDoS) attack ever recorded.
And then, a major DDoS cyberattack brought down almost half the Internet on Oct. 21, 2016.
Twitter, Spotify and Reddit, and a huge swath of other websites were down or screwed up this morning. This was happening as hackers unleashed a large distributed denial of service (DDoS) attack on the servers of Dyn, a major DNS host. It’s probably safe to assume that the two situations are related.
Update 12:28 PM EST: Dyn says it is investigating yet another attack, causing the same massive outages experienced this morning. Based on emails from Gizmodo readers, this new wave of attacks seems to be affecting the West Coast of the United States and Europe. It’s so far unclear how the two attacks are related, but the outages are very similar.
Update 4:22 PM EST: Looks like this is probably going to get even worse before it gets any better. Dyn says they are being hit with a third wave of attacks. Dyn told CNBC the attack is “well planned and executed, coming from tens of millions IP addresses at the same time.”
Here are some more details on what happened in this latest DDoS attack on Dyn, released on Oct. 28, 2016.
Hilton explained the early estimates of tens of millions of IP addresses were due to "the retry storm providing a false indicator of a significantly larger set of endpoints than we now know it to be. We are still working on analyzing the data, but the estimate at the time of this report is up to 100,000 malicious endpoints."
"We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets," Hilton wrote. "Dyn is collaborating in an ongoing criminal investigation of the attack and will not speculate regarding the motivation or the identity of the attackers."
Chinese electronics firm Xiongmai is initiating a product recall after the enormous hacking attack that took down much of the internet on the east coast of the US and also affected Europe on Friday.
The root of the attack, which took the form of a distributed denial of service attack (DDoS), was a network of hacked “Internet of Things” devices, such as webcams and digital recorders, many of which were made by Xiongmai.
New Calls for Regulation and IoT Oversight
After the DDoS and Internet outages, there have been plenty of reactions, such as Sen. Mark Warner asking the FCC whether ISPs can block insecure ISP devices. Here’s an excerpt:
“Mirai’s efficacy depends, in large part, on the unacceptably low level of security inherent in a vast array of network devices. Attackers perform wide-ranging scans of IP addresses, searching for devices with poor security features such as factory default or hard-coded (i.e., unchangeable) passwords, publicly accessible remote administration ports (akin to open doors), and susceptibility to brute force attacks,” Warner said in his letter to FCC Chairman Thomas Wheeler.
“In my June 6th letter to the Federal Trade Commission (FTC), I raised serious concerns with the proliferation of these insecure connected consumer products, noting that the ‘ever-declining cost of digital storage and Internet connectivity have made it possible to connect an unimaginable range of products and services to the Internet,’ potentially without adequate market incentives to adopt appropriate privacy and security measures.”
Meanwhile, Business Insider’s Rob Price wrote that the government needs to step in and save the Internet from hacked toasters. “The Internet is facing an unprecedented threat from toasters — and calls are mounting for governments to step in and fix things.”
The article goes on to also give a contrarian view from Rob Graham. He pointed out that even if some nations did legislate against insecure IoT devices, it would do little to affect those sold in other jurisdictions — which could then be used for attacks.
"Morons think U.S. should pass a software liability law that will somehow affect Chinese devices sold to Ukraine," he wrote on Twitter.
In another post DDoS response example, Technobuffalo.com responded with calls for regulation, not recalls, as the answer for the Mirai botnet. “This is certainly a topic that will continue to make headlines. It’s now our job to call on manufacturers and, indeed, the government, to create regulations for stricter security in connected devices. Unfortunately, millions of insecure products are still on the market. A recall of 10,000 will hardly make a difference, even if it’s a step in the right direction.”
IoT Perspectives from the Wisconsin Cyber Summit 2016
I was in Madison, Wisc., this past week to present on Securing IoT at Gov. Scott Walker’s 4th Cybersecurity Summit.
The opening keynote was given by Dr. P.W. Singer on The Future of Technology and Geopolitics. His remarks also addressed the reasons that securing IoT devices will be so hard moving forward and the top challenges we face. Here they are:
That last point is one that I certainly agree with.
While I would prefer to see voluntary action taken by industry rather than new regulation, it appears that the voluntary approach is not working.
However, I think we are still a long way from seeing banned IoT devices, in the same way we have the Samsung Galaxy Note 7 currently banned on U.S. airline flights due to the risk of fire. Could some devices eventually be banned? Perhaps, but I suspect we will start seeing stronger standards being implemented first.
My presentation in Wisconsin focused on our need to learn from history and not just be naysayers on IoT. I discussed what I have learned about enabling security through my experiences with Wi-Fi and BYOD. I ended my IoT presentation this week with a list of recommendations that I will share with you now.
For connected device manufacturers, I offered this advice a few weeks back about utilizing the new Cloud Security Alliance (CSA) Guide for Securing IoT Products. In my Wisconsin Cybersecurity Summit presentation, I also encouraged IoT vendors to:
I leave you with this quote from William Pollard: "Learning and innovation go hand in hand. The arrogance of success is to think that what you did yesterday will be sufficient for tomorrow."